One of the most overlooked advantages in preparing early for the Cyber Resilience Act is the opportunity to drastically reduce your future reporting workload.
If your organisation identifies and fixes actively exploited vulnerabilities before 11 September 2026, you significantly reduce the legal reporting process that becomes mandatory from that date.
Every vulnerability you remediate early is one fewer potential legal obligation and one fewer time bound reporting workflow once CRA reporting rules activate.
This article explains why acting early matters, what counts as an actively exploited vulnerability under the CRA and which reporting requirements you can realistically avoid by resolving issues in advance.
Why 11 September 2026 Changes Everything
From 11 September 2026, the CRA introduces mandatory reporting obligations for manufacturers when they become aware of:
- actively exploited vulnerabilities
- severe security incidents
These obligations apply to products with digital elements that are in scope of the CRA, including products that were placed on the market before full CRA applicability in December 2027.
This creates a strategic window.
By fixing vulnerabilities before September 2026, you reduce the chance that you will ever need to run the formal CRA reporting workflow for those issues.
What you avoid is not security responsibility itself, but the administrative and legal reporting burden that follows awareness of an actively exploited vulnerability after the reporting date.
What Is an Actively Exploited Vulnerability under the CRA
Under the CRA, an actively exploited vulnerability is one for which there is reliable evidence that a malicious actor has exploited it in a system without the permission of the system owner.
Two important clarifications matter here.
First, exploitation does not need to target your organisation. Evidence of exploitation anywhere in the world is sufficient.
Second, good faith security research, testing, or responsible disclosure without malicious intent does not trigger reporting obligations.
The reporting obligation starts when the manufacturer becomes aware of such exploitation. The regulation does not prescribe how that awareness must occur.
Data: Most codebases contain vulnerable components
The 2025 OSSRA Report found that 86% of commercial codebases include at least one known open source vulnerability, and 81% contain issues rated high risk or critical.
This reality explains why the CRA places such strong emphasis on secure development, vulnerability handling, and lifecycle security. Even mature products routinely ship with inherited risk.
Transitive dependencies create the biggest exposure
Supply chain research consistently shows that most vulnerabilities originate deep inside dependency trees rather than in first level code.
- 77%% of vulnerabilities come from transitive dependencies
- Codacy reports that around 95% of vulnerabilities arise from indirect components
From a CRA perspective, this matters because manufacturers remain responsible for vulnerabilities contained in their products, even when they originate from integrated third party components.
A product cannot credibly be described as secure by design if large parts of the dependency stack are invisible or unmanaged.
First scans usually uncover multiple high risk issues
Industry reports consistently show that a full dependency and application scan almost always reveals several high risk vulnerabilities immediately.
Not all of these will be actively exploited. However, once reliable exploitation evidence emerges and the manufacturer becomes aware of it after September 2026, reporting obligations apply.
What You Will Have To Report Starting September 2026
If an actively exploited vulnerability remains in your product after reporting obligations start, the CRA requires a structured reporting sequence.
Early warning within 24h
You must notify authorities of:
- the vulnerability
- where the affected product is made available, when known
Vulnerability notification within 72h
This must include, when available:
- product details and affected versions
- the nature of the exploit
- mitigation measures already taken
- guidance for users
- a sensitivity assessment
Final report within 14 days after a patch is available
This must include:
- a detailed description and severity assessment
- information about any known malicious actor, when available
- the security update or corrective measures issued
Severe security incidents follow a similar structure, with a final report due within one month.
In addition, manufacturers must inform affected users, and in some cases all users, about the vulnerability or incident and the necessary mitigation actions.
Why Acting Now Will Save You Hours Later
Addressing high risk and potentially exploitable vulnerabilities before 11 September 2026 allows you to:
- reduce the likelihood of triggering CRA reporting workflows
- lower future compliance and legal costs
- minimise operational and reputational risk
- stabilise vulnerability management processes
- enter September 2026 with far fewer unknowns
It also demonstrates proactive cybersecurity governance, which strengthens customer trust and regulatory confidence.
ScanDog supports this strategy by correlating known exploitation intelligence with your code and dependencies, helping teams identify what matters most and resolve issues before CRA reporting obligations become unavoidable.
ScanDog offers a 1 month free trial, with no commitment or obligation to continue. That means you can use our solution to find all the actively exploitable vulnerabilities and fix them quickly, hence avoiding hours of reporting, for free!
ScanDog is an AI-powered Application Security Posture Management (ASPM) platform that helps development teams build secure software faster. With advanced vulnerability prioritization, reachability analysis, and AI-assisted remediation, ScanDog cuts through the noise of false positives to focus on what truly matters.